This invention related generally to systems and methods for detecting and preventing internal and external threats to technology infrastructure, information assets and intellectual property of enterprises and other organizations, and more particularly to assessing threats based on a mix of behavioral and direct indicators.
The rapid detection of security threats is critical for organizations to prevent compromise of their computer systems, data, networks and applications. Organizations, whether commercial, educational or governmental, and other enterprises store and transfer the majority of their data in digital form in computer systems and databases. Much of this data is valuable confidential commercial information such as business plans or trade secret information, or private information about individual employees or members that is not intended for public view, and any exposure or manipulation of this information could cause the organization or employees great financial or reputational damage. Organizations are frequently challenged by the attacks that involve fraud, data destruction or theft, intellectual property theft, or national security implications. Some attackers may be backed by nation states or groups with political agendas and apply more sinister attacks intended to gain control of or to damage critical infrastructures.
Organizations typically employ a multi-layered network topology that separates various components of their IT infrastructure from the Internet or other external networks. Internal network workstations and servers are generally protected from direct attack from external sources by network proxy servers; external network traffic is typically terminated by such servers at “demilitarized network zones” (DMZ); and the incoming traffic is filtered through a firewall. External attackers normally attempt to penetrate an organization's defenses that are set up at the organization's network perimeter, and many security approaches attempt to prevent network access by such external attacks. Once external attackers breach the network perimeter and get onto the internal network, they become much more difficult to detect and defend against. They may unleash malware or attempt to access internal data, and typically operate under the guise of an internal user by either hijacking an existing user's account or by creating a new user account. Inside attackers are more insidious and pose threats that are more difficult to detect and defend against because the inside attackers are perceived to be rightful users of the organization's computer network systems. They may have legitimate IT accounts, and their unauthorized and illicit activities may generally fall within authorized areas of responsibility for insiders, but otherwise exceed what is normal behavior. For instance, illicit behavior by an employee customer service representative such as granting a customer an inappropriately large refund, or by an insider accessing and manipulating customer information or other sensitive data may be difficult to detect as a threat.
Many approaches to external threat detection utilize signatures of known attacks to identify and create models for providing alerts upon detecting activities having similar signatures. In order to define signatures for any new threats, the underlying components of the associated threat vectors must be studied in detail and signatures of these threat vectors must be made available to a threat detection system. There are several major shortcomings of these signature-based threat detection approaches. The development of signatures for new threats requires an in-depth analysis on an infected system, which is time consuming and resource intensive, and may be too slow to address quickly evolving threats. Signatures also do not adapt well to changes in threat vectors. Moreover, signature-based defenses cannot protect against zero-day attacks that exploit previously unknown vulnerabilities, and are ineffective for detecting insider threats originating from within an organization.
Identifying insider attacks typically involves constructing various profiles for the normal behaviors of insiders, detecting anomalous deviations from these profiles, and estimating the probabilities of threat risks of these anomalies. However, constructing profiles that accurately characterize normal insider behavior is difficult and an inexact art. Moreover, organizations in different industries may have different profile models for behavior considered normal. For example, the health care industry has models for normal activities that are different from those for the financial and retail industries due to inherent differences between the industries. Applying the same profile models to different industries can lead to false results. Moreover, many profiles are constructed using statistical approaches for observables that are assumed often incorrectly to be normally distributed when they are not. Using such profiles for detecting anomalies that represent possible threats can produce erroneous results and lead to many false positive alerts that can overwhelm security analysts. Balancing between the risk of missing an actual threat by using high confidence levels for detection to minimize false positives and using an overly permissive approach that floods security analysts with alerts is a difficult trade-off.
There is a need for systems and methods that address these and other known problems in reliably detecting, evaluating and assessing threat risks to protect organizations from data breaches, attacks and other injuries. In particular, there is a need for more accurate threat modeling and risk evaluation approaches that reliably identify threats and evaluate threat risks within an organization's IT infrastructure while minimizing false positive alerts. It is to these ends that this invention is directed.